HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46669Published Modified CNA GitHub_M

CVE-2026-46669: `openvm-pairing` pairing check missing proper subfield check on scaling factor

OpenVM is a performant and modular zkVM framework built for customization and extensibility. Prior to version 1.6.0, the openvm-pairing guest library's try_honest_pairing_check function invokes Theorem 3 of https://eprint.iacr.org/2024/640.pdf but does not check that the scaling factor s is in a proper subfield of Fp12. This allows incorrect results to the pairing check. This issue has been patched in version 1.6.0.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A cryptographic integrity bypass affects the openvm-pairing guest library in the OpenVM zkVM framework (versions before 1.6.0). The vulnerability is reachable over the network with no authentication required, and stems from the try_honest_pairing_check function failing to verify that the scaling factor s is an element of the correct subfield of Fp12 when executing a pairing check. Successful exploitation allows an attacker to cause the pairing check to return an incorrect result, meaning invalid cryptographic proofs can be accepted as valid, breaking the integrity guarantees of any system relying on that check. HarborGuard tracks this advisory and will make a patched-image rebuild available at version 1.6.0 as soon as affected images are identified in customer environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the openvm-pairing library. Any image carrying an affected version of openvm-org/openvm (below 1.6.0) is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 8.7 (HIGH) using the published v4.0 vector and weights it against each customer organization's compliance policy before routing the alert to the appropriate team inbox. Per-environment policy configuration controls whether the finding escalates as a blocking issue or an advisory notification.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainers ship a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The affected library is exposed over the network, meaning an attacker can send crafted inputs to a pairing check endpoint without requiring local or adjacent-network access.

  • AuthenticationNot required

    No authentication is needed; the attacker can interact with the vulnerable pairing check function anonymously.

  • Victim interactionNot required

    Exploitation requires no action from a user or operator; the attacker triggers the faulty check directly.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental prerequisites.

Blast Radius

  • An attacker can submit an invalid cryptographic proof that the pairing check accepts as valid, breaking the soundness guarantee of any zkVM circuit relying on this function.
  • Any downstream system that trusts pairing-check results (smart contracts, proof verifiers, bridge validators) can be made to accept fraudulent state transitions or falsified computations.
  • Integrity of all data or transaction state guarded by proofs generated under the affected library version is undermined, since the verification step can be silently defeated.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across all customer image registries and CI pipelines. Because no upstream fix has been published, the current capability is continuous advisory monitoring: HarborGuard re-checks the openvm-org/openvm advisory on every ingest cycle and will surface a patched-image rebuild at version 1.6.0 the moment the upstream fix is confirmed. For customers with auto-remediation enabled, that rebuild will immediately trigger a regression test run and open a PR against affected workloads. In the interim, recommended compensating controls include isolating services that invoke try_honest_pairing_check behind strict network-policy rules to limit inbound callers, applying input-validation layers that reject proof inputs from untrusted sources before they reach the pairing check, and reviewing any downstream verifier logic that acts on pairing-check results without a secondary integrity gate.

See how HarborGuard automates this
Affected packages
  • openvm-org / openvm
    < 1.6.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
References